--- layout: post title: Shooting yourself into the foot with Wireguard date: 2023-07-02 20:11 +0200 lang: en categories: tech description: "The pitfalls of WireGuard, what can go wrong. A personal experience report." --- Sunday afternoon. I'm sitting somewhere outside away from home. Suddenly I remember I forgot to switch my roomba on. Ugh. But no worries, I got a Wireguard connection set up, so I can connect to home and switch it on from there. Hm. Unfortunately I can't connect to my home router (OpenWRT). Did the dynamic DNS address fail to update again? Now that I think about it, I can't remember I actually I ever tested the connection. I tested the connection once when my OpenWRT router was still running in a VM. Maybe I forgot to set up some things? {% linked_image url="https://pics.uvokchee.de/upload/2023/07/02/20230702201107-0ecdfc52.png" img="https://pics.uvokchee.de/i.php?/upload/2023/07/02/20230702201107-0ecdfc52-sm.png" alt="A diagram showing the network components of my Wireguard setup." %} But hey, no worries, I'll simply connect to my VPS, and let the Wireguard routing do its job. Just move the `AllowedIP=0.0.0.0/24` setting from the OpenWRT endpoint to the VPS endpoint on the smartphone. I can ping my VPS' Wireguard address, but unfortunately, pings to my OpenWRT "do nothing". ping doesn't show any output, simply seems stuck. Weird. Well, okay, I after I finished enjoying the outsides, I went home to try to figure out what went wrong. Well, lets see, what are the AllowedIPs... {% linked_image url="https://pics.uvokchee.de/upload/2023/07/02/20230702201107-5df12e17.png" img="https://pics.uvokchee.de/i.php?/upload/2023/07/02/20230702201107-5df12e17-sm.png" alt="Same diagram as before. Added: AllowedIPs." %} Hm. Seems good enough. The smartphone pings to the VPS get answered all right. The AllowedIPs match there. On the VPS via SSH, I can..... not ping my OpenWRT router. Hm. Ugh, oh yeah! NAT. Let's edit the Wireguard config on OpenWRT to send `KeepAlive` packages. Also, I noticed I didn't set a firewall `INPUT` rule in OpenWRT to allow packages from the upstream router to the Wireguard port. Let's fix that. (That makes the `KeepAlive` unnecessary technically. *However*, I want to avoid possible dynamic DNS problems as well. So let my OpenWRT just regularly send a keep-alive). So let's test again... ping from Smartphone to VPS work. ping from VPS to OpenWRT work. ping from Smartphone to OpenWRT... Still stuck. The heck? Okay, let's see the configs again. Very carefully. {% linked_image url="https://pics.uvokchee.de/upload/2023/07/02/20230702201107-597a7b3d.png" img="https://pics.uvokchee.de/i.php?/upload/2023/07/02/20230702201107-597a7b3d-sm.png" alt="Same diagram. Added on OpenWRT, AllowedIP setting for Smartphone." %} Well, oops. I still had the smartphone set up as a possible client on OpenWRT. Apparently, the ping from my smartphone went through my VPS to OpenWRT just fine It was just... when trying to send the ping reply, OpenWRT / Wireguard found the `AllowedIP` setting for the smartphone and probably tried to send the reply directly. Which isn't possible, since the smartphone naturally has no endpoint address set. (And no, there was no routing entry for the smartphone itself). So, to test if this is the problem, I removed the `AllowedIP` setting from the smartphone on the OpenWRT config. And... the ping works. I can't keep it like that, though. So... I added back the `AllowedIP` setting to the smartphone, and instead modified the config on Wireguard for Android. Let everything Wireguard-internal route via OpenWRT. (Reminder: longest prefix wins. `/24` is longer than `/0`). {% linked_image url="https://pics.uvokchee.de/upload/2023/07/02/20230702203947-9169ae4a.png" img="https://pics.uvokchee.de/i.php?/upload/2023/07/02/20230702203947-9169ae4a-sm.png" alt="Same diagram, fixed AllowedIPs on smartphone." %} Et voilá! ping still works. Only... I still couldn't start my roomba. No wonder, OpenWRT was configured not to allow any `FORWARD`ing from the Wireguard zone. (Masquerading on the Wireguard zone was already enabled by the way.) So, after adding the zone with my roomba to the list the Wireguard zone is allowed to forward to, I could reach my roomba as well. All is good... Until the next time something breaks.